I'm trying to make a change to allow users to write to specific folders in the Program Files directory. Currently they have Read / Execute, but a few programs require the ability to write to update config files, ect. I just want to allow these folders write access, and I believe I make that change in the Defualt Domain Policy - Computer Config - Policies - Windows Settings - Security Settings - File System. When I go there, the Security Settings icon, and the File System icon have a little pad lock beside them. Nothing is listed in the File System area, and I can't create a new rule.

I'm not too sure what I'm missing? Can someone point me in the right direction? All the searching through forums haven't helped.

When I go Add File it browses my server drive. I would like to add C:\Program Files (x86)\Calc.NET so the user can have read/write, but with add file I can only see whats listed on my server drive. If I did chose C:\Program Files (X86) from the server browser, chose ok, will that affect the locals machines Program Files folder? Can I get it more specific to unlock specific programs or do I have to just do it globally for program files?

If I did chose C:\Program Files (X86) from the server browser, chose ok, will that affect the locals machines Program Files folder?

It depends. If you enter "C:\program files (x86)", GPO will translate it to %programfiles(x86)% environmental variable (because it points to c:\Program Files (x86) on server), which is not what you desire, since such variable doesn't exist on 32-bit Windows, thus will not be applied properly. Just specify the folder as it is on machine side, not server. Ignore the fact given folder or file is not present on server side. It will be applied to domain machines just fine.

amoore wrote:

Can I get it more specific to unlock specific programs or do I have to just do it globally for program files?

You can be as specific as you require. It can be single file, folder, folder and all subfolders/files, etc.

Generally, granting users write access to c:\Program Files is a very bad idea. Be as specific as possible in this matter.

2. A file browser window appears, showing the C: root on the server. Browse for file, click ok. File I want to give access to is on client computer, not on server. Unable to add the file I want.

3. Set permissions.

The only way at this point I can see how to do it, would be to install all the programs I need to modify onto the server, setup my permissions and file access rules, and uninstall the applications off the server. Because the add file option brings up a file browser that I can't type into. But that can't be right!

I tried exporting the two I have currently, editing the text file and adding the file, but it only adds the text file itself, not the contents.

I thought you've been trying to set permission to existent files/folders, not to create/edit them on user side.

To edit permissions, simply add the file/folder "blindly", by typing the whole path to it at Add File context window (in "Folder" field). It's safer to copy the path from user machine to be sure it's ok.

To add a custom file, you'd rather use startup script or GPO preferences.

I'd just put something in a startup script (batch file), kind of like this:

if exist C:\Progra~1\Calc.Net goto end

if not exist C:\Progra~1\Calc.Net goto create

:create

mkdir "C:\program files\Calc.net"

:end

echo end

Then make sure you have the permissions set on the GPO and away you go......

If you're into creating folder with files via startup script, it's pointless to split the task so different part of GPO sets proper permissions for it. All can be done within a script, by using cacls (or xcacls):